Malicious code just found on web server

Paul Ferguson fergdawgster at gmail.com
Mon Apr 20 17:36:39 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Apr 20, 2009 at 10:23 AM, Mike Lewinski <mike at rockynet.com> wrote:

> Paul Ferguson wrote:
>
>> Most likely SQL injection. At any given time, there are hundreds of
>> thousands of "legitimate" websites out there that are unwittingly
>> harboring
>> malicious code.
>
> Most of the MS-SQL injection attacks we see write malicious javascript
> into the DB itself so all query results include it. However, I'm not sure
> how easy it is to leverage to get system access - we've seen a number of
> compromised customer machines and there didn't appear to be any further
> compromise of them beyond the obvious. In the OP's case it sounds like
> static HTML files were altered. My bet is that an ftp or ssh account was
> brute forced.
>

Yes -- SQL Injection directly into the HTML.

Happening all over the place, hundreds of thousands at a time --- we've
been trying to highlight the fact that improper configuration of web
services, "unescaped" configurations, etc., allow SQL injection to insert
code (e.g. JavaScript, iFrames, etc.)  directly into the HTML or Header.

See also:

http://en.wikipedia.org/wiki/Sql_injection#Real-world_examples

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFJ7LKiq1pz9mNUZTMRAu3sAJ9MB6NH+qn8/idSbfqMk8TRQPzy5gCfb/QY
DUCdgzPRORtsLyfDFrfkgTw=
=Ar/O
-----END PGP SIGNATURE-----


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/




More information about the NANOG mailing list